Skip to content

Commit

Permalink
deps: replace rsa crate with openssl (#54)
Browse files Browse the repository at this point in the history
fixes #51
fixes #46

The rsa crate is being reported in audit jobs due to a timing-related
security issue. The project is not committed to address this in the near
time, since the solution involves switching to a big-num dependency with
worse security characteristics.

We can leave it up to the consumer of an attester-only crate to convert
the pubkey into a library struct.

Signed-off-by: Magnus Kulke <[email protected]>
  • Loading branch information
mkulke authored Jul 8, 2024
1 parent db31c51 commit 7a30967
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 25 deletions.
3 changes: 1 addition & 2 deletions az-cvm-vtpm/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "az-cvm-vtpm"
version = "0.5.3"
version = "0.6.0"
edition = "2021"
repository = "https://github.com/kinvolk/azure-cvm-tooling/"
license = "MIT"
Expand All @@ -23,7 +23,6 @@ bincode.workspace = true
jsonwebkey = { version = "0.3.5", features = ["pkcs-convert"] }
memoffset = "0.9.0"
openssl = { workspace = true, optional = true }
rsa = { version = "0.9.6", features = ["pkcs5", "sha2"] }
serde.workspace = true
serde_json.workspace = true
serde-big-array = "0.5.1"
Expand Down
4 changes: 2 additions & 2 deletions az-cvm-vtpm/az-snp-vtpm/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "az-snp-vtpm"
version = "0.5.3"
version = "0.6.0"
edition = "2021"
repository = "https://github.com/kinvolk/azure-cvm-tooling/"
license = "MIT"
Expand All @@ -17,7 +17,7 @@ path = "src/main.rs"
required-features = ["attester", "verifier"]

[dependencies]
az-cvm-vtpm = { path = "..", version = "0.5.3" }
az-cvm-vtpm = { path = "..", version = "0.6.0" }
bincode.workspace = true
clap.workspace = true
openssl = { workspace = true, optional = true }
Expand Down
4 changes: 2 additions & 2 deletions az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "az-tdx-vtpm"
version = "0.5.3"
version = "0.6.0"
edition = "2021"
repository = "https://github.com/kinvolk/azure-cvm-tooling/"
license = "MIT"
Expand All @@ -16,7 +16,7 @@ name = "tdx-vtpm"
path = "src/main.rs"

[dependencies]
az-cvm-vtpm = { path = "..", version = "0.5.3" }
az-cvm-vtpm = { path = "..", version = "0.6.0" }
base64-url = "3.0.0"
bincode.workspace = true
serde.workspace = true
Expand Down
3 changes: 1 addition & 2 deletions az-cvm-vtpm/src/hcl/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -146,8 +146,7 @@ impl HclReport {
}
let mut hasher = Sha256::new();
hasher.update(self.var_data_slice());
let hash = hasher.finalize();
hash.into()
hasher.finalize().into()
}

/// Get the slice of the VarData section
Expand Down
39 changes: 26 additions & 13 deletions az-cvm-vtpm/src/vtpm/mod.rs
Original file line number Diff line number Diff line change
@@ -1,12 +1,9 @@
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.

use rsa::{BigUint, RsaPublicKey};
use serde::{Deserialize, Serialize};
use thiserror::Error;
use tss_esapi::abstraction::nv;
use tss_esapi::abstraction::pcr;
use tss_esapi::abstraction::public::DecodedKey;
use tss_esapi::abstraction::{nv, pcr, public::DecodedKey};
use tss_esapi::handles::TpmHandle;
use tss_esapi::interface_types::algorithm::HashingAlgorithm;
use tss_esapi::interface_types::resource_handles::NvAuth;
Expand Down Expand Up @@ -79,12 +76,28 @@ pub enum AKPubError {
Tpm(#[from] tss_esapi::Error),
#[error("asn1 der error")]
WrongKeyType,
#[error("rsa error")]
OpenSsl(#[from] rsa::errors::Error),
}

#[derive(Serialize, Deserialize, Debug)]
pub struct PublicKey {
n: Vec<u8>,
e: Vec<u8>,
}

impl PublicKey {
/// Get the modulus of the public key as big-endian unsigned bytes
pub fn modulus(&self) -> &[u8] {
&self.n
}

/// Get the public exponent of the public key as big-endian unsigned bytes
pub fn exponent(&self) -> &[u8] {
&self.e
}
}

/// Get the AK pub of the vTPM
pub fn get_ak_pub() -> Result<RsaPublicKey, AKPubError> {
pub fn get_ak_pub() -> Result<PublicKey, AKPubError> {
let conf: TctiNameConf = TctiNameConf::Device(DeviceConfig::default());
let mut context = Context::new(conf)?;
let tpm_handle: TpmHandle = VTPM_AK_HANDLE.try_into()?;
Expand All @@ -96,12 +109,12 @@ pub fn get_ak_pub() -> Result<RsaPublicKey, AKPubError> {
return Err(AKPubError::WrongKeyType);
};

let bytes = rsa_pk.modulus.as_unsigned_bytes_be();
let n = BigUint::from_bytes_be(bytes);
let bytes = rsa_pk.public_exponent.as_unsigned_bytes_be();
let e = BigUint::from_bytes_be(bytes);

let pkey = RsaPublicKey::new(n, e)?;
let bytes_n = rsa_pk.modulus.as_unsigned_bytes_be();
let bytes_e = rsa_pk.public_exponent.as_unsigned_bytes_be();
let pkey = PublicKey {
n: bytes_n.into(),
e: bytes_e.into(),
};
Ok(pkey)
}

Expand Down
6 changes: 2 additions & 4 deletions az-cvm-vtpm/src/vtpm/verify.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,8 @@
// Licensed under the MIT License.

use super::{Quote, QuoteError};
use openssl::hash::MessageDigest;
use openssl::pkey::{PKey, Public};
use openssl::sign::Verifier;
use sha2::{Digest, Sha256};
use openssl::{hash::MessageDigest, sha::Sha256, sign::Verifier};
use thiserror::Error;
use tss_esapi::structures::{Attest, AttestInfo};
use tss_esapi::traits::UnMarshall;
Expand Down Expand Up @@ -79,7 +77,7 @@ impl Quote {
hasher.update(pcr);
}

let digest = hasher.finalize();
let digest = hasher.finish();
if digest[..] != pcr_digest[..] {
return Err(VerifyError::PcrMismatch);
}
Expand Down

0 comments on commit 7a30967

Please sign in to comment.